-
签发证书
# ca.pem, ca-key.pem ca-config.json 是原始签发的ca根证书,和json根 # kubelet-csr.json 现在是统一做一个统一证书,以后可不用重复签发 # cat kubelet-csr.json { "CN": "system:node", "hosts": [ "127.0.0.1", "192.168.2.3", "192.168.2.4", "192.168.2.5", .....# 中间是遍历了所有网段的ip地址,这里不可以写网段 ..... "192.168.3.249", "192.168.3.250", "192.168.3.251", "192.168.3.252", "192.168.3.253" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "HangZhou", "L": "XS", "O": "system:nodes", "OU": "System" } ] } cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubelet-csr.json |cfssljson -bare kubelet
-
生成kubelet.kubeconfig 凭证
1)set-cluster kubectl config set-cluster myk8s --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kubelet.kubeconfig #连接apiserver的 2) set-credentials kubectl config set-credentials k8s-node --client-certificate=/application/kubernetes/ssl/kubernetes.pem --client-key=/application/kubernetes/ssl/kubernetes-key.pem --embed-certs=true --kubeconfig=kubelet.kubeconfig 3) set-context kubectl config set-context myk8s-context --cluster=myk8s --user=k8s-node --kubeconfig=kubelet.kubeconfig 4) use-context kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
-
配置kubelet的rbac权限
# 下面2个都要运行,以前的一套为kubernetes,现在新创建的为k8s-node,以后统一使用K8S-node # cat kubernetes.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kubernetes # cat k8s-node.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: k8s-node
-
kube-proxy.kubeconfig不需要每个node都配置,使用原先的
-
配置nginx 代理api-serser
cat /etc/nginx/nginx.conf #1.20需要另外安装stream模块 ... stream { upstream apiserver_6443 { server 192.168.2.91:6443; server 192.168.2.92:6443; server 192.168.2.93:6443; } server { listen 6443; proxy_pass apiserver_6443; } } nginx -t systemctl reload nginx
-
配置ssh信任
ssh-copy-id -i ~/.ssh/id_rsa.pub xxxx #node8
-
将一系列文件拷贝至新node
cd /etc/ scp -r kubernetes/ node8:/etc/ scp kubelet.kubeconfig node8:/etc/kubernetes/ scp -r /etc/systemd/system/kubelet.service node8:/etc/systemd/system scp -r /etc/systemd/system/kube-proxy.service node8:/etc/systemd/system scp -r /var/lib/kubelet node8:/var/lib/ scp -r /var/lib/kube-proxy/ node8:/var/lib/ scp -r /etc/calico/ node8:/etc/ scp -r /etc/cni/ node8:/etc/ scp -r /etc/calico/ node8:/etc/
-
登录node8中,修改kubelet和kube-proxy的配置文件
#修改成对应的ip地址 略 #hostname 不带特殊字符和_
-
安装docker
略
-
启动kubelet和kube-proxy